[German]The hack of numerous (US) authorities and companies via Solarwinds software in 2020 is probably still fresh in the minds of many readers. Now the Semperis security research team has discovered a new variant of "golden SAML", an attack technique that exploits the SAML authentication protocol and was used against Solarwinds by the hacker group Nobelium in 2020. The attack technique is known as "Silver SAML".
Advertising
In 2020, a hack of numerous (US) authorities and companies via Solarwinds software caused quite a stir (see US Treasury and US NTIA hacked). Security researchers first publicly described the attack vector known as "golden SAML" back in 2017 (see Accusation: Microsoft failed with security in the SolarWinds hack).
Now the Semperis security research team has discovered a new variant of "golden SAML", an attack technique that exploits the SAML authentication protocol and was used against Solarwinds by the hacker group Nobelium in 2020.
Golden SAML
Golden SAML was used in the 2020 cyberattack on Solarwinds, the most sophisticated nation-state hack in history to date. The hacking group Nobelium, also known as Midnight Blizzard or Cozy Bear, injected malicious code into Solarwinds' Orion IT management software, infecting thousands of organizations, including the U.S. government. Following this attack, the Cybersecurity Infrastructure Security Agency (CISA) recommended that organizations with hybrid identity environments switch SAML authentication to a cloud identity system such as Entra ID.
Silver SAML
The newly discovered Silver SAML vulnerability can be exploited even if organizations have followed the security recommendations to protect against Golden SAML. Silver SAML allows threat actors to abuse the authentication protocol SAML (Security Assertion Markup Language) to launch attacks from an identity provider such as Entra ID against applications that use SAML for authentication, such as Salesforce.
Protection against Silver SAML attacks
To effectively protect against Silver SAML attacks in Entra ID, organizations should only use self-signed Entra ID certificates for SAML signing. Organizations should also restrict ownership of applications in Entra ID. They should also watch for changes to SAML signing keys, especially if the key is not about to expire.
Advertising
"After the Solarwinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (then Azure AD) would protect against SAML response forgery, also known as Golden SAML. Unfortunately, full protection from this type of attack is more nuanced – when organizations move certain certificate management practices from Active Directory Federation Services to Entra ID, the applications in their inventory are still vulnerable to SAML response forgery, which we refer to as Silver SAML," said Eric Woodruff, researcher at Semperis.
Semperis researchers classify the Silver SAML vulnerability as a moderate risk for organizations. However, should Silver SAML be used to gain unauthorized access to business-critical applications and systems, the risk could increase to a severe level depending on the system under attack. Semperis provides more information on the Silver SAML vulnerability in this blog post.
Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents
Advertising